BT sent details of some of its customers in an unencrypted Excel spreadsheet via email to ACS:Law, the ISP admitted on Tuesday.
In a thread on BT's support forums, customers of the ISP questioned a company moderator on the issue of ACS:Law's leaked emails, which included the personal details of thousands of people accused of unlawfully sharing pornography and other media online. The moderator responded that BT had indeed sent such details to ACS:Law unencrypted, but did not say for sure whether those details had been leaked.
"In answer to the question above about whether we sent out customer details in unencrypted files, I can confirm that this did happen but has no bearing on the current situation," 'NigelE' wrote. "We are investigating how this occurred as we have robust systems for managing data."
"We have already ensured that this will not happen again. In this circumstance our legal department sent data to a firm of solicitors (ACS:Law) which reached them safely and we trusted that they would keep the data safe. At a later date, due to an attack on the systems of the law firm, data was leaked, which was outside of our control. At this time we do not believe any of BT's customers details have been compromised by this leak, although we are continuing to pressure ACS:Law for confirmation of this."
NigelE also noted that, while BT was obligated by a court order to send the details to ACS:Law, the ISP was now reviewing its policy in this regard.
"Our first concern is with our customers but we have been obliged to respond to court orders requiring that we disclose customer data," he wrote. "However, there is increasing evidence that there are deep concerns regarding the integrity of the process being used by rights holders to obtain customer data from ISPs for pursuing alleged copyright infringements."
"We need to have further confidence that the initial information gathered by rights holders is robust and that our customers will not be treated unfairly. We are urgently exploring how this can be assured, including through the assistance of the courts."
Members of the forum subsequently pointed out that BT might be in breach of the Data Protection Act for sending the details unencrypted. The Information Commissioner's Office told ZDNet UK on Wednesday that it was looking into the matter as part of its enquiries around the ACS:Law breach.
Rivals such TalkTalk and Virgin Media have not agreed to disclose such information to ACS:Law, which acts on behalf of rights holders and tells suspected infringers that they have to pay hundreds of pounds or face court action. Despite thousands of such letters being sent out, not a single case appears to have gone to court.